CVE-2023-5414
📋 TL;DR
This vulnerability in the Icegram Express WordPress plugin allows administrator-level attackers to perform directory traversal attacks via the show_es_logs function. Attackers can read arbitrary files on the server, potentially accessing sensitive information from other sites in shared hosting environments. WordPress sites using vulnerable versions of the Icegram Express plugin are affected.
💻 Affected Systems
- Icegram Express (Email Subscribers) WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Administrator-level attackers can read sensitive files including configuration files, database credentials, and files from other websites on shared hosting, leading to complete system compromise and data exfiltration.
Likely Case
Compromised administrator accounts can read sensitive server files, potentially accessing credentials and configuration data that could lead to further attacks.
If Mitigated
With proper access controls and file permissions, impact is limited to files accessible to the web server user, though sensitive information may still be exposed.
🎯 Exploit Status
Exploitation requires administrator privileges. Public proof-of-concept code is available in vulnerability reports.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.6.24 and later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Icegram Express' plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 5.6.24+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable function
allRemove or disable the show_es_logs function in vulnerable plugin files
Edit class-email-subscribers-logs.php and comment out or remove the vulnerable show_es_logs function
Restrict file permissions
linuxSet strict file permissions to limit what the web server user can read
chmod 600 sensitive_config_files
chown root:root sensitive_files
🧯 If You Can't Patch
- Remove administrator privileges from untrusted users
- Implement web application firewall rules to block directory traversal patterns
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for Icegram Express version. If version is 5.6.23 or lower, you are vulnerable.Check Version:
wp plugin list --name='icegram-express' --field=version (if WP-CLI installed)Verify Fix Applied:
After updating, verify plugin version shows 5.6.24 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns in web server logs
- Requests to plugin endpoints with ../ sequences
- Access to files outside expected plugin directories
Network Indicators:
- HTTP requests containing directory traversal sequences to plugin endpoints
SIEM Query:
web.url:*show_es_logs* AND web.url:*../*🔗 References
- https://plugins.trac.wordpress.org/browser/email-subscribers/trunk/lite/includes/classes/class-email-subscribers-logs.php?rev=2919465#L28
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2977318%40email-subscribers%2Ftrunk&old=2972043%40email-subscribers%2Ftrunk&sfp_email=&sfph_mail=#file4
- https://www.wordfence.com/threat-intel/vulnerabilities/id/417186ba-36ef-4d06-bbcd-e85eb9219689?source=cve
- https://plugins.trac.wordpress.org/browser/email-subscribers/trunk/lite/includes/classes/class-email-subscribers-logs.php?rev=2919465#L28
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2977318%40email-subscribers%2Ftrunk&old=2972043%40email-subscribers%2Ftrunk&sfp_email=&sfph_mail=#file4
- https://www.wordfence.com/threat-intel/vulnerabilities/id/417186ba-36ef-4d06-bbcd-e85eb9219689?source=cve
